auditor-lambda 0.10.3 → 0.10.8

package/dist/orchestrator/intakeExecutors.js

@@ -4,10 +4,6 @@ import { isGitRepo, writeJsonFile } from "@audit-tools/shared";
 import { buildFileDisposition, isAuditExcludedStatus, } from "../extractors/disposition.js";
 import { buildRepoManifestFromFs } from "../extractors/fsIntake.js";
 import { loadIgnoreFile } from "../extractors/ignore.js";
-/** Prefix used to carry the scope summary inside `progress_summary` for hosts
- *  that read the step's progress text rather than the `scope_summary.json`
- *  artifact. The loader extracts everything after this marker as JSON. */
-export const SCOPE_SUMMARY_PREFIX = "SCOPE_SUMMARY:";
 /**
  * Detect signals that the resolved audit root may be the *wrong* directory.
  * Two heuristics, returned as zero or more human-readable warnings:
@@ -37,14 +33,30 @@ export function detectMisScopeSmells(root) {
         }
     }
     // (b) Workspace member of a parent monorepo.
+    // Walk up ancestor directories (up to 3 levels) looking for a package.json
+    // that declares a `workspaces` field. This handles standard nested monorepo
+    // layouts like `monorepo-root/packages/my-pkg` where the direct parent
+    // (`packages/`) has no package.json of its own. Stop early if a .git
+    // boundary is found (we already checked that case under heuristic (a)).
     const rootPkg = readPackageJson(root);
     if (rootPkg && rootPkg.name !== undefined) {
-        const parent = dirname(root);
-        if (parent && parent !== root) {
-            const parentPkg = readPackageJson(parent);
-            if (parentPkg && parentPkg.workspaces !== undefined) {
-                smells.push(`root appears to be a workspace member of a parent monorepo at '${parent}' — consider auditing from the monorepo root instead`);
+        let current = dirname(root);
+        let previous = root;
+        let levelsChecked = 0;
+        const maxLevels = 3;
+        while (current && current !== previous && levelsChecked < maxLevels) {
+            const ancestorPkg = readPackageJson(current);
+            if (ancestorPkg && ancestorPkg.workspaces !== undefined) {
+                smells.push(`root appears to be a workspace member of a parent monorepo at '${current}' — consider auditing from the monorepo root instead`);
+                break;
+            }
+            // Stop at a .git boundary — the repo root won't be a workspaces ancestor.
+            if (existsSync(join(current, ".git"))) {
+                break;
             }
+            previous = current;
+            current = dirname(current);
+            levelsChecked++;
         }
     }
     return smells;
@@ -84,15 +96,13 @@ export async function runIntakeExecutor(bundle, root, artifactsDir) {
     };
     const artifactsWritten = ["repo_manifest.json", "file_disposition.json"];
     // Persist the scope summary alongside the other intake artifacts when we know
-    // where the artifacts directory is. The typed `scope_summary` field and the
-    // progress_summary marker below carry the same data for hosts that don't read
-    // the file directly.
+    // where the artifacts directory is. Hosts read scope_summary.json directly;
+    // the typed `scope_summary` field on ExecutorRunResult is the in-process channel.
     if (artifactsDir) {
         await writeJsonFile(join(artifactsDir, "scope_summary.json"), scopeSummary);
         artifactsWritten.push("scope_summary.json");
     }
-    const progressSummary = `${SCOPE_SUMMARY_PREFIX}${JSON.stringify(scopeSummary)}\n` +
-        `Created intake artifacts for ${repoManifest.files.length} files ` +
+    const progressSummary = `Created intake artifacts for ${repoManifest.files.length} files ` +
         `(${auditableCount} auditable). Scope: ${root}, git: ${scopeSummary.git_available ? "yes" : "no"}` +
         (scopeSummary.mis_scope_smells.length > 0
             ? `; ${scopeSummary.mis_scope_smells.length} mis-scope warning(s)`

package/dist/orchestrator/localCommands.d.ts

@@ -10,5 +10,6 @@ export interface LocalCommandResult {
     stderr: string;
     error?: Error;
 }
+export declare function __resolveFromPathForTests(command: string): string | null;
 export declare function runFirstAvailableCommand(root: string, candidates: LocalCommandCandidate[]): LocalCommandResult | null;
 export declare function resolveNodeTool(root: string, relativePath: string, args: string[], display: string): LocalCommandCandidate[];

package/dist/orchestrator/localCommands.js

@@ -9,6 +9,9 @@ function toSpawnTuple(candidate) {
     const resolved = resolveExecArgv([candidate.command, ...candidate.args]);
     return { command: resolved[0], args: resolved.slice(1) };
 }
+export function __resolveFromPathForTests(command) {
+    return resolveFromPath(command);
+}
 function resolveFromPath(command) {
     if (command.trim().length === 0) {
         return null;
@@ -30,24 +33,14 @@ function resolveFromPath(command) {
             .filter((ext) => ext.length > 0)
             .map((ext) => (ext.startsWith(".") ? ext : `.${ext}`))
         : [""];
+    // On Win32 without an extension: probe PATHEXT extensions first, then the
+    // bare name (empty-string suffix). On Win32 with an extension, or non-Win32:
+    // use only the bare name (extensions is already [''] on non-Win32).
+    const effectiveExtensions = process.platform === "win32" && extname(command).length === 0
+        ? [...extensions, ""]
+        : [""];
     for (const dir of pathEntries) {
-        const directPath = join(dir, command);
-        if (process.platform === "win32" && extname(command).length === 0) {
-            for (const ext of extensions) {
-                const candidatePath = join(dir, `${command}${ext}`);
-                if (existsSync(candidatePath)) {
-                    return candidatePath;
-                }
-            }
-            if (existsSync(directPath)) {
-                return directPath;
-            }
-            continue;
-        }
-        if (existsSync(directPath)) {
-            return directPath;
-        }
-        for (const ext of extensions) {
+        for (const ext of effectiveExtensions) {
             const candidatePath = join(dir, `${command}${ext}`);
             if (existsSync(candidatePath)) {
                 return candidatePath;

package/dist/orchestrator/nextStep.js

@@ -53,6 +53,8 @@ export function decideNextStep(bundle) {
         state,
         selected_obligation: next.id,
         selected_executor: executor?.id ?? null,
-        reason: `Selected highest-priority actionable obligation ${next.id}.`,
+        reason: executor
+            ? `Selected highest-priority actionable obligation ${next.id}.`
+            : `No executor found for obligation ${next.id}; EXECUTOR_REGISTRY has no entry for this obligation ID. This is a configuration gap — the obligation was selected but cannot be dispatched.`,
     };
 }

package/dist/orchestrator/requeueCommand.js

@@ -26,10 +26,14 @@ function dedupeByScope(tasks) {
     return deduped;
 }
 export function buildRequeuePayload(matrix, criticalFlows, flowCoverage, externalAnalyzerResults) {
+    // Dedupe within each source first — each generator may emit duplicate task_ids independently.
     const fileTasks = dedupeTasks(buildRequeueTasks(matrix, externalAnalyzerResults));
     const flowTasks = criticalFlows && flowCoverage
         ? dedupeTasks(buildFlowRequeueTasks(criticalFlows, flowCoverage, matrix, externalAnalyzerResults))
         : [];
+    // Two-pass post-merge dedup:
+    //   1. dedupeTasks removes any cross-source task_id collisions (same task emitted by both generators).
+    //   2. dedupeByScope removes tasks that cover the same lens+file_paths scope but carry different task_ids.
     const tasks = dedupeByScope(dedupeTasks([...fileTasks, ...flowTasks]));
     return {
         task_count: tasks.length,

package/dist/orchestrator/reviewPacketGraph.js

@@ -202,26 +202,58 @@ export function unionFindFromGroups(groups, graphEdges) {
     const uf = new UnionFind(groups.keys());
     const fileToGroupKeys = buildFileToGroupKeys(groups);
     const degreeIndex = buildGraphDegreeIndex(graphEdges);
+    const verbose = Boolean(process.env.AUDIT_CODE_VERBOSE);
     for (const keys of fileToGroupKeys.values()) {
         const [first, ...rest] = [...keys].sort((a, b) => a.localeCompare(b));
         if (!first)
             continue;
         for (const key of rest) {
-            uf.union(first, key);
+            if (verbose) {
+                const rootBefore = uf.find(key);
+                const rootFirst = uf.find(first);
+                uf.union(first, key);
+                if (rootFirst !== rootBefore) {
+                    process.stderr.write(`[audit-code:packet-planning] shared-file merge: "${first}" + "${key}" (roots "${rootFirst}" + "${rootBefore}" → "${uf.find(first)}")\n`);
+                }
+            }
+            else {
+                uf.union(first, key);
+            }
         }
     }
     for (const edge of graphEdges) {
+        const fromGroups = fileToGroupKeys.get(normalizeGraphPath(edge.from));
+        const toGroups = fileToGroupKeys.get(normalizeGraphPath(edge.to));
         if (!isPacketExpansionEdge(edge, degreeIndex)) {
+            if (verbose && fromGroups && toGroups) {
+                // Edge has group mappings but was filtered — check if it was the
+                // high fan-degree guard specifically.
+                const fromFanOut = degreeIndex.fanOut.get(normalizeGraphPath(edge.from)) ?? 0;
+                const toFanIn = degreeIndex.fanIn.get(normalizeGraphPath(edge.to)) ?? 0;
+                const highFanEdge = fromFanOut > HIGH_FAN_DEGREE_THRESHOLD ||
+                    toFanIn > HIGH_FAN_DEGREE_THRESHOLD;
+                if (highFanEdge) {
+                    process.stderr.write(`[audit-code:packet-planning] edge skip (high-fan-degree): "${edge.from}" → "${edge.to}" (fanOut=${fromFanOut}, fanIn=${toFanIn})\n`);
+                }
+            }
             continue;
         }
-        const fromGroups = fileToGroupKeys.get(normalizeGraphPath(edge.from));
-        const toGroups = fileToGroupKeys.get(normalizeGraphPath(edge.to));
         if (!fromGroups || !toGroups) {
             continue;
         }
         for (const fromKey of fromGroups) {
             for (const toKey of toGroups) {
-                uf.union(fromKey, toKey);
+                if (verbose) {
+                    const rootFrom = uf.find(fromKey);
+                    const rootTo = uf.find(toKey);
+                    uf.union(fromKey, toKey);
+                    if (rootFrom !== rootTo) {
+                        process.stderr.write(`[audit-code:packet-planning] edge-driven merge: "${fromKey}" + "${toKey}" via edge "${edge.from}" → "${edge.to}" (kind=${edge.kind ?? "unknown"})\n`);
+                    }
+                }
+                else {
+                    uf.union(fromKey, toKey);
+                }
             }
         }
     }
@@ -588,20 +620,20 @@ function buildEntrypointFlowBridgeEdges(groups, graphEdges, graphBundle) {
     return [...bridgeEdges.values()].sort(compareGraphEdges);
 }
 export function buildPlanningGraphEdges(groups, graphEdges, graphBundle, lineIndex, sizeIndex, targetPacketTokens = DEFAULT_TARGET_PACKET_TOKENS) {
-    const bridgeEdges = buildEntrypointFlowBridgeEdges(groups, graphEdges, graphBundle);
-    const graphWithBridges = bridgeEdges.length > 0 ? [...graphEdges, ...bridgeEdges] : graphEdges;
-    const subsystemEdges = buildSubsystemClusterEdges(groups, graphWithBridges, lineIndex, sizeIndex, targetPacketTokens);
-    const graphWithSubsystems = subsystemEdges.length > 0
-        ? [...graphWithBridges, ...subsystemEdges]
-        : graphWithBridges;
-    const packageOwnershipEdges = buildPackageOwnershipClusterEdges(groups, graphWithSubsystems, lineIndex, sizeIndex, targetPacketTokens);
-    const graphWithPackageOwnership = packageOwnershipEdges.length > 0
-        ? [...graphWithSubsystems, ...packageOwnershipEdges]
-        : graphWithSubsystems;
-    const moduleOwnershipEdges = buildModuleOwnershipClusterEdges(groups, graphWithPackageOwnership, lineIndex, sizeIndex, targetPacketTokens);
-    return moduleOwnershipEdges.length > 0
-        ? [...graphWithPackageOwnership, ...moduleOwnershipEdges]
-        : graphWithPackageOwnership;
+    let edges = graphEdges;
+    const bridgeEdges = buildEntrypointFlowBridgeEdges(groups, edges, graphBundle);
+    if (bridgeEdges.length > 0)
+        edges = [...edges, ...bridgeEdges];
+    const subsystemEdges = buildSubsystemClusterEdges(groups, edges, lineIndex, sizeIndex, targetPacketTokens);
+    if (subsystemEdges.length > 0)
+        edges = [...edges, ...subsystemEdges];
+    const packageOwnershipEdges = buildPackageOwnershipClusterEdges(groups, edges, lineIndex, sizeIndex, targetPacketTokens);
+    if (packageOwnershipEdges.length > 0)
+        edges = [...edges, ...packageOwnershipEdges];
+    const moduleOwnershipEdges = buildModuleOwnershipClusterEdges(groups, edges, lineIndex, sizeIndex, targetPacketTokens);
+    if (moduleOwnershipEdges.length > 0)
+        edges = [...edges, ...moduleOwnershipEdges];
+    return edges;
 }
 function compareGraphEdges(a, b) {
     const confidenceDelta = graphEdgeConfidence(b) - graphEdgeConfidence(a);

package/dist/orchestrator/reviewPackets.js

@@ -3,6 +3,7 @@ import { LENS_ORDER, priorityRank, sortLenses } from "./auditTaskUtils.js";
 import { normalizeGraphPath } from "../extractors/graphPathUtils.js";
 import { DEFAULT_MAX_TASKS_PER_PACKET, DEFAULT_TARGET_PACKET_TOKENS, ESTIMATED_TOKENS_PER_LINE, ESTIMATED_PACKET_PROMPT_TOKENS, sizeIndexFromManifest, fileGroupContentTokens, taskContentTokens, estimateTaskGroupTokens, } from "./reviewPacketSizing.js";
 import { HIGH_FAN_DEGREE_THRESHOLD, collectGraphEdges, buildGraphDegreeIndex, isPacketExpansionEdge, buildFileToGroupKeys, isConcreteGraphEdge, unionFindFromGroups, roundQuality, buildPlanningGraphEdges, buildPacketGraphContext, } from "./reviewPacketGraph.js";
+import { sanitizeSegment } from "./selectiveDeepening/shared.js";
 // Re-exported for scope.ts, which imports the canonical path normalizer here.
 export { normalizeGraphPath };
 // Sizing / token-budget arithmetic moved to reviewPacketSizing.ts; re-exported
@@ -42,12 +43,6 @@ function buildTaskGroups(tasks) {
     }
     return groups;
 }
-function sanitizeSegment(value) {
-    const sanitized = value
-        .replace(/[^a-zA-Z0-9_-]+/g, "-")
-        .replace(/^-+|-+$/g, "");
-    return sanitized.length > 0 ? sanitized : "packet";
-}
 function packetIdFor(tasks, packetIndex) {
     const unit = sanitizeSegment(tasks[0]?.unit_id ?? "review");
     const lenses = sortLenses(tasks.map((task) => task.lens)).join("-");
@@ -75,15 +70,19 @@ function comparePackets(a, b) {
 function chunkPacketTasks(tasks, options) {
     const chunks = [];
     let current = [];
+    const verbose = Boolean(process.env.AUDIT_CODE_VERBOSE);
     for (const task of tasks.sort(compareTasksForPacket)) {
+        const taskEstimatedTokens = taskContentTokens(task, options.sizeIndex, options.lineIndex);
         const isolatedLargeFileTask = task.file_paths.length === 1 &&
-            taskContentTokens(task, options.sizeIndex, options.lineIndex) >
-                options.targetPacketTokens;
+            taskEstimatedTokens > options.targetPacketTokens;
         if (isolatedLargeFileTask) {
             if (current.length > 0) {
                 chunks.push(current);
                 current = [];
             }
+            if (verbose) {
+                process.stderr.write(`[audit-code:packet-planning] isolated large-file chunk: task="${task.task_id}" file="${task.file_paths[0]}" estimatedTokens=${taskEstimatedTokens} targetPacketTokens=${options.targetPacketTokens}\n`);
+            }
             chunks.push([task]);
             continue;
         }
@@ -93,6 +92,9 @@ function chunkPacketTasks(tasks, options) {
         const wouldExceedTaskCount = options.maxTasksPerPacket > 0 && current.length > 0 && candidate.length > options.maxTasksPerPacket;
         const wouldExceedTokens = current.length > 0 && candidateContentTokens > options.targetPacketTokens;
         if (wouldExceedTaskCount || wouldExceedTokens) {
+            if (verbose && wouldExceedTokens) {
+                process.stderr.write(`[audit-code:packet-planning] token-budget split: task="${task.task_id}" file="${task.file_paths[0] ?? ""}" candidateContentTokens=${candidateContentTokens} targetPacketTokens=${options.targetPacketTokens}\n`);
+            }
             chunks.push(current);
             current = [];
         }

package/dist/orchestrator/runtimeCommand.js

@@ -32,21 +32,49 @@ export async function runCommand(command, cwd, options = {}) {
         child.stderr.on("data", (chunk) => {
             stderr += String(chunk);
         });
+        let exitCode = null;
+        let exitSignal = null;
         child.on("error", (error) => {
+            const output = `${stdout}\n${stderr}`.trim();
+            const lines = output.length > 0 ? output.split(/\r?\n/) : [];
+            const truncated = lines.length > 10;
+            const evidence = truncated
+                ? [`[... truncated: showing last 10 of ${lines.length} lines ...]`, ...lines.slice(-10)]
+                : lines;
             resolve({
                 status: "inconclusive",
                 summary: `Failed to execute ${displayCommand}: ${error.message}`,
-                evidence: [],
+                evidence,
             });
         });
-        child.on("exit", (code) => {
+        child.on("exit", (code, signal) => {
+            exitCode = code;
+            exitSignal = signal;
+        });
+        child.on("close", () => {
             const output = `${stdout}\n${stderr}`.trim();
-            const evidence = output.length > 0 ? output.split(/\r?\n/).slice(-10) : [];
+            const lines = output.length > 0 ? output.split(/\r?\n/) : [];
+            const truncated = lines.length > 10;
+            const evidence = truncated
+                ? [`[... truncated: showing last 10 of ${lines.length} lines ...]`, ...lines.slice(-10)]
+                : lines;
+            const succeeded = exitCode === 0;
+            let summary;
+            if (succeeded) {
+                summary = `Deterministic runtime command succeeded: ${displayCommand}`;
+            }
+            else if (exitCode !== null) {
+                summary = `Deterministic runtime command failed with exit code ${exitCode}: ${displayCommand}`;
+            }
+            else if (exitSignal !== null) {
+                summary = `Deterministic runtime command terminated by signal ${exitSignal}: ${displayCommand}`;
+            }
+            else {
+                summary = `Deterministic runtime command exited with unknown status: ${displayCommand}`;
+            }
             resolve({
-                status: code === 0 ? "confirmed" : "not_confirmed",
-                summary: code === 0
-                    ? `Deterministic runtime command succeeded: ${displayCommand}`
-                    : `Deterministic runtime command failed with exit code ${code}: ${displayCommand}`,
+                status: succeeded ? "confirmed" : "not_confirmed",
+                summary,
                 evidence,
             });
         });

package/dist/orchestrator/runtimeValidationUpdate.js

@@ -8,14 +8,17 @@ function normalizeResult(result) {
 export function updateRuntimeValidationReport(tasks, existing, updates) {
     const validTaskIds = new Set(tasks.tasks.map((task) => task.id));
     const merged = new Map();
+    const staleIds = new Set();
     for (const result of existing.results) {
         if (!validTaskIds.has(result.task_id)) {
+            staleIds.add(result.task_id);
             continue;
         }
         merged.set(result.task_id, normalizeResult(result));
     }
     for (const update of updates.results) {
         if (!validTaskIds.has(update.task_id)) {
+            staleIds.add(update.task_id);
             continue;
         }
         const prior = merged.get(update.task_id);
@@ -33,6 +36,9 @@ export function updateRuntimeValidationReport(tasks, existing, updates) {
             notes: [...new Set([...(prior.notes ?? []), ...(update.notes ?? [])])],
         });
     }
+    if (staleIds.size > 0) {
+        console.warn("[runtimeValidationUpdate] Dropped %d stale result(s) not in task manifest: %s", staleIds.size, [...staleIds].join(", "));
+    }
     for (const task of tasks.tasks) {
         if (!merged.has(task.id)) {
             merged.set(task.id, {

package/dist/orchestrator/selectiveDeepening/highRiskClean.js

@@ -18,8 +18,9 @@ export function isHighRiskCleanResult(result, task) {
     return result.requires_followup === true && task.priority === "medium";
 }
 export function buildHighRiskCleanFollowupTask(params) {
-    const paths = uniqueSorted((params.task?.file_paths.length ?? 0) > 0
-        ? (params.task?.file_paths ?? [])
+    const taskFilePaths = params.task?.file_paths;
+    const paths = uniqueSorted(taskFilePaths && taskFilePaths.length > 0
+        ? taskFilePaths
         : params.result.file_coverage.map((coverage) => coverage.path));
     return {
         task_id: taskIdFor("clean", [params.result.task_id, params.result.lens]),

package/dist/orchestrator/selectiveDeepening/lensVerification.js

@@ -1,5 +1,15 @@
 import { isHighRiskCleanResult } from "./highRiskClean.js";
 import { DEEPENING_TAG, IMPORTANT_LENS_VERIFICATION_LENSES, LENS_VERIFICATION_TAG, MAX_LENS_VERIFICATION_FILES, MAX_LENS_VERIFICATION_RESULT_SUMMARIES, SEVERITY_RANK, formatList, getExternalAnalyzerPaths, isDeepeningTask, isLensVerificationTask, lineCountForPath, lineCountFromSources, priorityLabel, priorityRank, taskIdFor, uniqueSorted, } from "./shared.js";
+/** Score boost for files touched by a critical-flow task — highest semantic signal. */
+const SCORE_CRITICAL_FLOW = 6;
+/** Score boost for files flagged by an external analyzer tool — treated equally to critical-flow signal. */
+const SCORE_EXTERNAL_ANALYZER_SIGNAL = 6;
+/** Score boost for files from a large-file task — moderately elevated scrutiny. */
+const SCORE_LARGE_FILE = 4;
+/** Score boost for a high-risk task whose result was suspiciously clean — warrants re-examination. */
+const SCORE_HIGH_RISK_CLEAN = 5;
+/** Score boost for files directly matched by an external-analyzer path set — strongest single boost, above tag signals. */
+const SCORE_EXTERNAL_ANALYZER_PATH_MATCH = 8;
 function sourceTaskIds(sources) {
     return uniqueSorted(sources.map((source) => source.result.task_id));
 }
@@ -16,12 +26,16 @@ function lensVerificationTriggers(params) {
     const cleanResults = params.sources.filter((source) => source.result.findings.length === 0 &&
         source.result.requires_followup !== false);
     const highRiskCleanResults = params.sources.filter((source) => isHighRiskCleanResult(source.result, source.task));
+    const pathOwnerMap = new Map();
+    for (const source of params.sources) {
+        for (const path of resultFiles(source)) {
+            if (!pathOwnerMap.has(path))
+                pathOwnerMap.set(path, source);
+        }
+    }
     const totalLines = filePaths.reduce((sum, path) => {
-        const owner = params.sources.find((source) => resultFiles(source).includes(path));
-        return (sum +
-            (owner
-                ? lineCountForPath(path, owner.task, owner.result)
-                : 0));
+        const owner = pathOwnerMap.get(path);
+        return sum + (owner ? lineCountForPath(path, owner.task, owner.result) : 0);
     }, 0);
     const triggers = [];
     if (params.sources.some((source) => source.task?.priority === "high")) {
@@ -90,7 +104,7 @@ function shouldBuildLensVerificationTask(params) {
     const candidateId = taskIdFor("steward", [params.lens, ...sourceSignature]);
     return !params.existingTasks.some((task) => task.task_id === candidateId);
 }
-function selectLensVerificationFiles(sources, externalAnalyzerPaths) {
+function selectLensVerificationFiles(sources, externalAnalyzerPaths, lens) {
     const scores = new Map();
     function add(path, score, lines) {
         const current = scores.get(path) ?? { score: 0, lines };
@@ -104,13 +118,13 @@ function selectLensVerificationFiles(sources, externalAnalyzerPaths) {
         for (const path of resultFiles(source)) {
             add(path, priorityScore, lineCountForPath(path, source.task, source.result));
             if (source.task?.tags?.includes("critical_flow"))
-                add(path, 6, 0);
+                add(path, SCORE_CRITICAL_FLOW, 0);
             if (source.task?.tags?.includes("external_analyzer_signal"))
-                add(path, 6, 0);
+                add(path, SCORE_EXTERNAL_ANALYZER_SIGNAL, 0);
             if (source.task?.tags?.includes("large_file"))
-                add(path, 4, 0);
+                add(path, SCORE_LARGE_FILE, 0);
             if (highRiskClean)
-                add(path, 5, 0);
+                add(path, SCORE_HIGH_RISK_CLEAN, 0);
         }
         for (const finding of source.result.findings) {
             for (const file of finding.affected_files) {
@@ -120,7 +134,7 @@ function selectLensVerificationFiles(sources, externalAnalyzerPaths) {
     }
     for (const path of externalAnalyzerPaths) {
         if (scores.has(path)) {
-            add(path, 8, 0);
+            add(path, SCORE_EXTERNAL_ANALYZER_PATH_MATCH, 0);
         }
     }
     const ranked = [...scores.entries()].sort((a, b) => {
@@ -133,10 +147,15 @@ function selectLensVerificationFiles(sources, externalAnalyzerPaths) {
         return a[0].localeCompare(b[0]);
     });
     if (ranked.length > MAX_LENS_VERIFICATION_FILES) {
-        // No RunLogger in scope here: emit the established structured-stderr signal
-        // so the silent task-budget truncation leaves a trace.
-        process.stderr.write(`[audit-code] selectiveDeepening: truncated verification-file list to ` +
-            `${MAX_LENS_VERIFICATION_FILES} of ${ranked.length}\n`);
+        process.stderr.write(JSON.stringify({
+            level: "warn",
+            source: "audit-code:selectiveDeepening",
+            event: "truncated_verification_file_list",
+            lens,
+            kept: MAX_LENS_VERIFICATION_FILES,
+            total: ranked.length,
+            ts: new Date().toISOString(),
+        }) + "\n");
     }
     return ranked.slice(0, MAX_LENS_VERIFICATION_FILES).map(([path]) => path);
 }
@@ -156,13 +175,20 @@ function summarizeLensVerificationSource(source) {
 }
 function buildLensVerificationTask(params) {
     const sourceIds = sourceTaskIds(params.sources);
-    const selectedPaths = selectLensVerificationFiles(params.sources, params.externalAnalyzerPaths);
+    const selectedPaths = selectLensVerificationFiles(params.sources, params.externalAnalyzerPaths, params.lens);
     const allPaths = uniqueSorted(params.sources.flatMap(resultFiles));
     const omittedPathCount = Math.max(0, allPaths.length - selectedPaths.length);
     const externalPathsInScope = allPaths.filter((path) => params.externalAnalyzerPaths.has(path));
     if (params.sources.length > MAX_LENS_VERIFICATION_RESULT_SUMMARIES) {
-        process.stderr.write(`[audit-code] selectiveDeepening: truncated result-summary list to ` +
-            `${MAX_LENS_VERIFICATION_RESULT_SUMMARIES} of ${params.sources.length}\n`);
+        process.stderr.write(JSON.stringify({
+            level: "warn",
+            source: "audit-code:selectiveDeepening",
+            event: "truncated_result_summary_list",
+            lens: params.lens,
+            kept: MAX_LENS_VERIFICATION_RESULT_SUMMARIES,
+            total: params.sources.length,
+            ts: new Date().toISOString(),
+        }) + "\n");
     }
     const summaries = params.sources
         .sort((a, b) => a.result.task_id.localeCompare(b.result.task_id))

package/dist/orchestrator/staleness.js

@@ -1,14 +1,14 @@
 import { getArtifactValue } from "../io/artifacts.js";
 import { ARTIFACT_DEPENDENTS_MAP } from "./dependencyMap.js";
 import { present } from "./artifactMetadata.js";
-import { buildReverseDependencyMap, hashArtifactValue, stableStringify, } from "./artifactFreshness.js";
+import { buildArtifactDependenciesMap, hashArtifactValue, stableStringify, } from "./artifactFreshness.js";
 function computeContentHash(artifactName, bundle) {
     const value = getArtifactValue(bundle, artifactName);
     if (value === undefined || value === null)
         return undefined;
     return hashArtifactValue(artifactName, value);
 }
-const REVERSE_DEPENDENCY_MAP = buildReverseDependencyMap();
+const ARTIFACT_DEPENDENCIES_MAP = buildArtifactDependenciesMap();
 export function computeStaleArtifacts(bundle) {
     const stale = new Set();
     const metadata = bundle.artifact_metadata;
@@ -16,7 +16,7 @@ export function computeStaleArtifacts(bundle) {
         for (const [artifactName, entry] of Object.entries(metadata.artifacts)) {
             if (!present(bundle, artifactName))
                 continue;
-            const expectedDependencies = [...(REVERSE_DEPENDENCY_MAP[artifactName] ?? [])]
+            const expectedDependencies = [...(ARTIFACT_DEPENDENCIES_MAP[artifactName] ?? [])]
                 .filter((dependencyName) => dependencyName !== "artifact_metadata.json")
                 .sort();
             const recordedDependencies = Object.keys(entry.dependency_revisions).sort();

package/dist/orchestrator/state.js

@@ -72,7 +72,7 @@ export function deriveAuditState(bundle) {
     obligations.push(obligation("runtime_validation_current", runtimeReady
         ? "satisfied"
         : has(bundle.runtime_validation_report)
-            ? "missing"
+            ? "stale"
             : "missing", runtimeTasks.length === 0
         ? "No deterministic runtime validation tasks were planned."
         : undefined));

package/dist/orchestrator/syntaxResolutionExecutor.js

@@ -42,6 +42,19 @@ function hasEslintConfig(root) {
 function snippet(value) {
     return value.replace(/\s+/g, " ").trim().slice(0, 500);
 }
+function commandErrorResult(tool, command, results) {
+    return {
+        results,
+        status: {
+            tool,
+            command: command?.candidate.display,
+            resolved: Boolean(command),
+            status: command?.error ? "spawn_error" : "not_resolved",
+            exit_code: command?.exitCode,
+            error: command?.error?.message,
+        },
+    };
+}
 function runTsc(root) {
     const results = [];
     const command = runFirstAvailableCommand(root, [
@@ -49,17 +62,7 @@ function runTsc(root) {
         { command: "tsc", args: ["--noEmit"], display: "tsc --noEmit" },
     ]);
     if (!command || command.error) {
-        return {
-            results,
-            status: {
-                tool: "tsc",
-                command: command?.candidate.display,
-                resolved: Boolean(command),
-                status: command?.error ? "spawn_error" : "not_resolved",
-                exit_code: command?.exitCode,
-                error: command?.error?.message,
-            },
-        };
+        return commandErrorResult("tsc", command, results);
     }
     const output = [command.stdout, command.stderr].filter(Boolean).join("\n");
     const lines = output.split("\n");
@@ -91,7 +94,7 @@ function runTsc(root) {
     }
     if (results.length === 0 && output.trim().length > 0) {
         const outputSnippet = snippet(output);
-        process.stderr.write(`[syntax-resolution] tsc output could not be parsed: ${outputSnippet}\n`);
+        process.stderr.write(`[syntax-resolution] tsc output could not be parsed: ${outputSnippet} (root=${root}, exit_code=${command.exitCode}, ts=${new Date().toISOString()})\n`);
         return {
             results,
             status: {
@@ -136,17 +139,7 @@ function runEslint(root) {
         },
     ]);
     if (!command || command.error) {
-        return {
-            results,
-            status: {
-                tool: "eslint",
-                command: command?.candidate.display,
-                resolved: Boolean(command),
-                status: command?.error ? "spawn_error" : "not_resolved",
-                exit_code: command?.exitCode,
-                error: command?.error?.message,
-            },
-        };
+        return commandErrorResult("eslint", command, results);
     }
     const output = [command.stdout, command.stderr].filter(Boolean).join("\n").trim();
     if (output.length === 0) {
@@ -181,7 +174,7 @@ function runEslint(root) {
     }
     catch {
         const outputSnippet = snippet(output);
-        process.stderr.write(`[syntax-resolution] eslint output could not be parsed: ${outputSnippet}\n`);
+        process.stderr.write(`[syntax-resolution] eslint output could not be parsed: ${outputSnippet} (root=${root}, exit_code=${command.exitCode}, ts=${new Date().toISOString()})\n`);
         return {
             results,
             status: {

package/dist/orchestrator/synthesisExecutors.js

@@ -7,6 +7,7 @@ function buildBaseFindingsReport(bundle, results) {
         criticalFlows: bundle.critical_flows,
         coverageMatrix: bundle.coverage_matrix,
         runtimeValidationReport: bundle.runtime_validation_report,
+        runtimeValidationTaskManifest: bundle.runtime_validation_tasks,
         externalAnalyzerResults: bundle.external_analyzer_results,
         designAssessment: bundle.design_assessment,
     }));